#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    8
    Rep Power
    0

    My Php email form stopped working...


    Hi,

    First off, I'm not a PHP wiz so don't get to technical or make assumptions I know things.

    I have a php form accessed via a flashed based web site. It was working fine forever then stopped. I guess my hosting provider changed to new version of PHP and maybe that is the reason.

    What happens is the email comes through, but WITHOUT any of the data entered by the user.

    The code:

    PHP Code:
    <?php

    #change the email address in the variable $adminaddress below to the email address you want 
    #the form to send to.

    $adminaddress "ZZZ@mydomain.com"
    $sitename "THE CONTACT FORM";

    #make sure your input field variable names in flash are the same as the field names below, 
    #leave out the dollar sign in flash.

    mail("$adminaddress","Contact Form"
    "You have received an email from: $sitename\n
    Name: 
    $name 
    Subject: 
    $telno
    Phone: 
    $phone
    Email: 
    $from\n
    Message:
    -----------------------------------------------------------------------------------------
    $message


    -----------------------------------------------------------------------------------------
    Using: 
    $HTTP_USER_AGENT  
    Hostname: 
    $ip
    IP address: 
    $REMOTE_ADDR   
    Date/Time:  
    $date","FROM:$from"); 

    ?>


    I know you may say to use $_SERVER['HTTP_USER_AGENT'] in place of $HTTP_USER_AGENT and another sub for remote_addr, but when I change those the email is not generated at all.


    This is the content of the email I receive:

    You have received an email from: THE CONTACT FORM

    Name:
    Subject:
    Phone:
    Email:

    Message:
    -----------------------------------------------------------------------------------------



    -----------------------------------------------------------------------------------------
    Using:
    Hostname:
    IP address:
    Date/Time:

    No data!

    Is it possible I need to tweak something in FLASH where the form is generated due to a PHP update?

    Also, should there be a lib.php file to go with this form as well? (I have messed with some other that have associated lib.php files. )

    Nothing else would have changed.

    Thanks,

    MP
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Hi,

    in the Stone Age of PHP programming, there used to be a "feature" called Register Globals, which would automatically inject user-defined values (URL parameters, form data etc.) into PHP variables. It's one of the biggest security holes in the history of PHP. Security-aware people have turned it off 15 years ago, it's turned off by default since 2000, and it no longer exists in current PHP versions.

    The fact that your hoster had this "feature" turned on until recently isn't exactly a good sign. Personally, I would consider moving to a hoster who actually cares about security and doesn't run around with software from the late 90s.

    And of course this is a warning sign for you: You need to either learn PHP or find someone who knows it. Your code is ancient and extremely insecure with no protection whatsoever. It's begging for abuse. If the rest of the application looks similarly, your server might already have been captured and is now busy sending mails for the spam mafia.

    I understand that you're not a PHP pro. Unfortunately, attackers don't care about that.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    8
    Rep Power
    0
    Jacques,

    Thanks for the heads up on the security issues with this code, I heed your warnings and appreciate your advice.

    I do however need a solution. I wear many hats and do not have time to master all faucets of the IT world, PHP coding being one of them.

    Just as I do not have the experience or wherewithal to rebuild the transmission of my car, I trust that to others and will never take the time to learn this specialty. I can however drain the pan, replace the filter, and put new fluid in to get and keep things rolling.

    I consult forums like this and get the tools and advice necessary to "get the job done" where I can't take the time to fully learn the specialty. I also contribute to such to help others.

    So I'm here looking for a help and to find a solution to a form that is no longer working.

    I know there are form code snip-its and such that should get the job done and do it securely.

    Can you point me in such a direction?

    Thanks much,

    MP
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    You need to know enough about your car to drive safely and not run over the next group of schoolkids. It's the same with PHP. Nobody said that you have to become some kind of PHP guru overnight. But you need a basic understanding of programming so that you won't put your server or your users at risk.

    Blindly relying on code you found somewhere on the Internet is a very bad idea. Many PHP "programmers" really don't know what they're doing. If you're lucky, their code will simply not work. If you have less luck, the code will (unintentionally) act as some kind of trojan horse -- which is what just happened. It's sad, but that's how it is.

    So I see two options:

    Either you learn the basics of PHP. This includes


    Or you find a programmer (a real one, not a "programmer") who's willing to do the work for you.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo